Who Can Help You
I have partnered with others that can perform your required HIPAA Security Risk Assessment. Compliance with the HIPAA Privacy rules can be achieved by anyone, but compliance with the security rule requires more than just some software and some man-hours. Technical knowledge of systems is critical, and to overlook something could be financially devastating to a business.

By outsourcing your required Oregon HIPAA Security Risk Assessment to a professional, you will then be better able develop an economically reasonable and appropriate plan that will allow you to become 100% compliant with every aspect of the HIPAA Security standard.

If you haven’t done so already, call your professional association RIGHT NOW and see what seminars are next available. After attendance, you’ll be able to better
understand the enormity of these Federal regulations.

Hipaa was an Act of Congress. To be exact, it was The Heath Insurance Portability and Accountability Act of 1996. The last Act of Congress to so dramatically affect American business to this degree was the Americans with Disabilities Act.

In Hipaa, Portability means being able to keep your heath insurance, like through COBRA, for instance. That’s important to people, but that’s certainly not what the HIPAA uproar is all about.

The HIPAA uproar is about all about accountability. Accountability means that the Federal Government is now regulating ALL U.S. health care providers, doctor’s offices, etc. for complete privacy and security of ALL information regarding their patients. Penalties for Hipaa violations include fines starting at $100 each, and ranging all the way up to $250,000 and ten years in prison.

Why HIPAA?

Did you know that the pharmaceutical giant Eli Lily sold the mailing list of patients who had been prescribed Prozac? How about the fact that tennis great Arthur Ashes’ HIV status was office gossip that slipped out to the press, forcing him to address it publicly? These and countless other violations of privacy are exactly what HIPAA is intended to combat.

Protected Health Information, (PHI) can be used by marketers, employers, insurance companies, politicians, and any number of other entities to discriminate, punish, hire, fire, market and even blackmail you. Somebody has to protect that privileged information, and that somebody is YOU, the health care professional. Why? Because an Act of Congress says so, that’s why.

If you are a licensed medical provider of any kind, no matter how small your office is, you are, (or will soon be declared to be), a “covered entity” by the HIPAA regulations. Anything else you’ve heard is simply not true. HIPAA is here to stay, and unless you’re considering a career change, you going to have to take it seriously.

What should you do?.

You are going to have to do a lot of the privacy work yourself, and that’s okay, because qualified Hipaa help is hard to find. Even when you can find it, it will be expensive, so all the work you can do yourself will save you money. It won’t be particularly difficult, but it will take time. A lot of time. The average two doctor office, with a staff of 6, will require 60 to 80 hours of work to become fully Hipaa Privacy compliant. Even then, there will be regular maintenance required to remain compliant.
There are dozens of software packages to help with the privacy rules that range in price from $300 to $3000 and even higher. They are designed to facilitate everything you need to do, and boy, is there a lot to do. Do not attempt to do it without one of these packages unless you like punishing yourself. At this time I’ve used three, and all of them were pretty easy to get started with. If you need help finding one, e-mail me.

Security and Privacy

There are actually two separate distinctly different HIPAA accountability sections. One deals with privacy, and one with security, both physical and electronic. The Hipaa Security Rule was finalized in February of 2003, and full compliance is mandatory by April 21, 2005.

However, the actual first date of security compliance has already passed. October 16, 2002 was the deadline for compliance regarding your Transactions and Code Set Standards for electronic billing. You should have filled out a request for extension form by October 15, 2002, and if you didn’t, then you are already in violation. You need a copy of a corrective plan of action filled out and in your file cabinet if anyone comes to check, (which they won’t, but do it anyway).

Getting Help

Unlike the privacy rule, the security rule cannot be dealt with yourself simply by using a software package and allocating enough time. The technical skills and computer knowledge required to complete the Security Risk Assessment is fairly extensive, and most small offices will have to outsource in order to get an accurate picture of the steps they’ll need to take to become Security compliant. By starting on the security plan now, there will be over a year before the deadline to budget for any required changes to your technology.

Just like the Americans with Disabilities Act of 1990, Hipaa will create a cottage industry of Hipaa related services and businesses and consultants. That industry can be an excellent resource for you, or an incredible boondoggle to try to navigate. My own business, Portland Technology Consultants currently performs HIPAA Security services, but only for offices with less than 25 employees.

This article is not intended to scare you, but to inform you. Make no mistake, there will be an enormous amount of work involved, over the next few months and years, not only for doctors and their staff, but for pharmacies, insurance companies and lawyers too.

Be sure you get quality advice, service, and products and at fair prices. The best way to do this is to talk among yourselves. Call and e-mail your friends and colleagues to discuss progress, software, and any compliance problems and solutions that might help others. Above all, don’t worry! Just don’t procrastinate and you’ll be fine. You made it through medical school, didn’t you?